Add notes re dangers of identity write endpoints. (#12365)

website/content/api-docs/secret/identity/entity-alias.mdx

@@ -6,6 +6,11 @@ description: >-
   store.
 ---
 
+~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
+If a user can modify an entity, they can grant it additional privileges through
+policies.  If a user can modify an alias they can login with, they can bind it to
+an entity with higher privileges.
+
 ## Create an Entity Alias
 
 This endpoint creates a new alias for an entity.

website/content/api-docs/secret/identity/group.mdx

@@ -4,6 +4,10 @@ page_title: 'Identity Secret Backend: Group - HTTP API'
 description: This is the API documentation for managing groups in the identity store.
 ---
 
+~> **NOTE:** Be careful in granting permissions to non-readonly identity group
+endpoints. If a user can modify group membership, they can add their entity to
+a group with higher privileges.
+
 ## Create a Group
 
 This endpoint creates or updates a Group.

website/content/docs/secrets/identity.mdx

@@ -70,6 +70,12 @@ _additional_ capabilities and not a replacement for the policies on the token.
 To know the full set of capabilities of the token with an associated entity
 identifier, the policies on the token should be taken into account.
 
+~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
+If a user can modify an entity, they can grant it additional privileges through
+policies.  If a user can modify an alias they can login with, they can bind it to
+an entity with higher privileges.  If a user can modify group membership, they
+can add their entity to a group with higher privileges.
+
 ### Mount Bound Aliases
 
 Vault supports multiple authentication backends and also allows enabling the